When discussing ransomware groups, too often the focus is on their names, such as Noberus, Royal, and AvosLocker, rather than the tactics, techniques, and procedures (TTPs) used in an attack before ransomware is deployed. For example, the particularly heavy use of legitimate software tools in ransomware attack chains has been notable in recent times. In fact, we rarely see a ransomware attack that doesn’t use legitimate software.
Staying Under the Radar: Why Abuse Is Rampant
Ransomware attacks remain a major cybersecurity problem. Ransomware actors, like threat actors in general, are abusing legitimate software for a number of reasons. First is a desire for stealthiness — they’re trying to get into and out of networks as quickly as possible without being discovered. Leveraging legitimate software can allow attackers’ activity to remain hidden, which may allow them to achieve their goals on a victim network without being discovered. Legitimate software misuse also can make attribution of an attack more difficult, and these tools can also lower barriers to entry. This means less-skilled hackers may still be able to conduct quite wide-ranging and disruptive attacks.
The legitimate tools we most commonly see being used by malicious actors are remote monitoring and management (RMM) tools, such as AnyDesk, Atera, TeamViewer, ConnectWise, and more. In fact, the use of RMM software by malicious actors was considered serious enough for the Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert. As recently as February this year, the Symantec Threat Hunter team saw ConnectWise used in both Noberus and Royal ransomware attacks. These tools are commonly used legitimately by IT departments in small, midsize, and large organizations.
Rclone, a legitimate tool for managing content in the cloud, was also used in a Noberus attack recently. In this particular case, attackers used Rclone to exfiltrate files because their earlier attempt to exfiltrate data, using their own custom ExMatter tool, had failed as it was blocked by security software.
AdFind, a legitimate free command-line query tool that can be used for gathering information from Active Directory, is also frequently used by ransomware attackers, who use it to map a network. PDQ Deploy, a tool that sysadmins use to apply patches, is also often abused by attackers, who use it to drop scripts onto victim networks quite efficiently. It’s not just legitimate tools that are used for malicious purposes by ransomware actors. For example, multiple state-sponsored groups have used legitimate cloud infrastructure such as Google Drive, Dropbox, OneDrive, and others for command-and-control (C&C) infrastructure and to exfiltrate and store stolen data.
Attacks that leverage legitimate software and infrastructure present a particular challenge for both defenders and organizations. A blunt-instrument approach such as blocking the service or tool doesn’t work in these kinds of cases.
And this problem isn’t going away. With every new technology, bad actors will find a way to use it for their own nefarious purposes. For example, a few years ago the cloud wasn’t necessarily a big feature in many organizations. Now, obviously, as more data is moving to the cloud, the infrastructure itself is being used for malicious means, and legitimate tools for use in the cloud, such as Rclone, are being misused by attackers.
To reduce the risk of misuse of legitimate software, organizations should take the following steps: